This document provides a sample configuration of Secure Shell (SSH) on the inside and outside interfaces of Cisco Series Security Appliance version 7.x and later. The configuration of the Series Security Appliance remotely with the command line involves the use of either Telnet or SSH. Because Telnet communications are sent in clear text, which includes passwords, SSH is highly recommended. SSH traffic is encrypted in a tunnel and thereby helps protect passwords and other configuration commands from interception.

The Security Appliance allows SSH connections to the security appliance for management purposes. The security appliance allows a maximum of five concurrent SSH connections for each security context, if available, and a global maximum of 100 connections for all of the contexts combined.

In this configuration example, the PIX Security Appliance is considered to be the SSH server. The traffic from SSH clients (10.1.1.2/24 and 172.16.1.1/16) to the SSH server is encrypted. The security appliance supports the SSH remote shell functionality provided in SSH versions 1 and 2 and supports Data Encryption Standard (DES) and 3DES ciphers. SSH versions 1 and 2 are different and are not interoperable.

The information in this document is based on Cisco PIX Firewall Software version 7.1 and 8.0.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Note: SSHv2 is supported in PIX/ASA version 7.x and later and not supported in versions earlier to 7.x.

Note: If you use a TACACS+ or RADIUS server group for authentication, you can configure the security appliance to use the local database as a fallback method if the AAA server is unavailable. Specify the server group name and then LOCAL (LOCAL is case sensitive). We recommend that you use the same username and password in the local database as the AAA server, because the security appliance prompt does not give any indication which method is used.

Note: Example :

pix(config)#aaa authentication ssh console TACACS+ LOCAL

Note: You can alternatively use the local database as your main method of authentication with no fallback. In order to do this, enter LOCAL alone.

Example :

pix(config)#aaa authentication ssh console LOCAL

OR

Use the default username of pix and the default Telnet password of cisco. You can change the Telnet password with this command:

pix(config)#passwd password

Note: The password command can also be used in this situation. Both commands do the same thing.

Generate an RSA key pair for the PIX Firewall, which is required for SSH:

pix(config)#crypto key generate rsa modulus modulus_size

Note: The modulus_size (in bits) can be 512, 768, 1024, or 2048. The larger the key modulus size you specify, the longer it takes to generate the RSA key pair. The value of 1024 is recommended.

Note: The command used to generate an RSA key pair is different for PIX software versions earlier than 7.x. In earlier versions, a domain name must be set before you can create keys.

Note: In multiple context mode, you must generate the RSA keys for every contexts. In addition, crypto commands are not supported in system context mode.

Specify the hosts allowed to connect to the security appliance.

This command specifies the source address, netmask and interface of the host(s) allowed to connect with SSH. It can be entered multiple times for multiple hosts, networks, or interfaces. In this example, one host on the inside and one host on the outside are permitted.

Provide the username and the login password of the PIX 500 Series Security Appliance while you open the SSH session. When you start an SSH session, a dot (.) displays on the security appliance console before the SSH user authentication prompt appears:

hostname(config)# .

The display of the dot does not affect the functionality of SSH. The dot appears at the console when a server key is generated or a message is decrypted with private keys during SSH key exchange before user authentication occurs. These tasks can take up to two minutes or longer. The dot is a progress indicator that verifies that the security appliance is busy and has not hung.

Choose Configuration > Device Management > Certificate Management > Identity Certificates, click Add and use the default options presented in order to generate the same RSA keys with ASDM.

Under Add a new Identity certificate click New in order to add a default key pair if one does not exists. Then, click Generate Now.

Choose Configuration > Device Management > Management Access > Command Line (CLI) > Secure Shell (SSH) in order to use ASDM to specify hosts allowed to connect with SSH and to specify the version and timeout options.

Click Save on top of the window in order to save the configuration.

When prompted to save the configuration on flash, choose Apply in order to save the configuration.

In order to add Telnet access to the console and set the idle timeout, issue the telnet command in global configuration mode. By default, Telnet sessions that are left idle for five minutes are closed by the security appliance. In order to remove Telnet access from a previously set IP address, use the no form of this command.

The telnet command lets you specify which hosts can access the security appliance console with Telnet.

Note: You can enable Telnet to the security appliance on all interfaces. However, the security appliance enforces that all Telnet traffic to the outside interface be protected by IPsec. In order to enable a Telnet session to the outside interface, configure IPsec on the outside interface to include IP traffic that is generated by the security appliance and enable Telnet on the outside interface.

Note: In general, if any interface that has a security level of 0 or lower than any other interface, then PIX/ASA does not allow Telnet to that interface.

Note: It is not recommended to access the security appliance through a Telnet session. The authentication credential information, such as password, is sent as clear text. The Telnet server and client communication happens only with the clear text. Cisco recommends to use SSH for a more secured data communication.

If you enter an IP address, you must also enter a netmask. There is no default netmask. Do not use the subnetwork mask of the internal network. The netmask is only a bit mask for the IP address. In order to limit access to a single IP address, use 255 in each octet; for example, 255.255.255.255.

If IPsec operates, you can specify an unsecure interface name, which is typically the outside interface. At a minimum, you can configure the crypto map command in order to specify an interface name with the telnet command.

Issue the password command in order to set a password for Telnet access to the console. The default is cisco. Issue the who command in order to view which IP addresses currently access the security appliance console. Issue the kill command in order to terminate an active Telnet console session.

In order to enable a Telnet session to the inside interface, review these examples:

Example 1

This example permits only the host 10.1.1.1 to gain access to the security appliance console through Telnet:

pix(config)#telnet 10.1.1.1 255.255.255.255 inside

Example 2

This example permits only the network 10.0.0.0/8 to gain access to the security appliance console through Telnet:

pix(config)#telnet 10.0.0.0 255.0.0.0 inside

Example 3

This example allows all networks to gain access to the security appliance console through Telnet:

pix(config)#telnet 0.0.0.0 0.0.0.0 inside

If you use the aaa command with the console keyword, the Telnet console access must be authenticated with an authentication server.

Note: If you have configured the aaa command in order to require authentication for the security appliance Telnet console access and the console login request times out, you can gain access to the security appliance from the serial console. In order to do this, enter the security appliance username and the password that is set with the enable password command.

Issue the telnet timeout command in order to set the maximum time that a console Telnet session can be idle before it is logged off by the security appliance. You cannot use the no telnet command with the telnet timeout command.

If you look at the RADIUS functions, you can use the RADIUS for the SSH functionality.

When an attempt is made to access the security appliance with Telnet, SSH, HTTP, or a serial console connection and the traffic matches an authentication statement, the security appliance requests a username and password. It then sends these credentials to the RADIUS (ACS) server, and grants or denies CLI access based on the response from the server.

Certain situations, such as when you upgrade PIX sofware or change the SSH version in the PIX, can require you to remove and re-create RSA keys. Issue this command in order to remove the RSA key pair from the PIX: